To be honest I did not do as much testing this time around then previous releases so encourage feedback, issues, questions, bugs, whatever just let me know. I just didn't want to delay the release any further.

I'll also try to work with Kristinn when he gets some time to try to create a linux / SIFT 3.0 release!

Sunday, February 16, 2014

I been super busy and actually forgot to announce that I posted 4n6time, v.05 a few months ago. So here it is boys and girls. As always none of this would be possible without the tools that create timeline data (e.g. log2timeline, plaso) and the help of MANY people.

Before I get into what's new, I would like to quickly reflect. 4n6time was introduced as a proof of concept application demo'ed at the 2011 SANS 360 Summit and has grown into a global user base. In 2013, 4n6time was nominated for the "tool of the year" award by forensic4cast (vote again this year!).

I remember joking that 4n6time would be free to everyone except LE. A lot of people laughed at that joke. However, in hindsight LE is one of my primary motivators to continue to invest personal time and expenses in this project.

Mid last year I received an e-mail stating 4n6time was used to help prosecute a murder case by presenting a complex set of data to a jury in a way they could understand. A few weeks later I received an email that 4n6time helped a family understand the facts leading up to a suicide. I get testimonial emails like this all the time from people.

Hearing feedback that Davnads potentially impacted someones live is surreal. It really is. Now only if I can figure out how to get a tax write off on this??? Lol.

The general
feedback I get is that 4n6time does not make evidence available that
other tools do not. It just makes evidence more readily accessible, presents it in a way that is logical, and makes telling the story easy with a mouse. In fact I think the download counts from last year speak for themselves. Although I suspect Kristinn would argue that the logs all point to Davnads downloading his own tool ;-)

I guess the reason I am sharing this story is to encourage others to contribute to existing projects like plaso or new projects. Everyone has to start somewhere and you never know where it will end up. I am also sharing this to thank people for the feedback. If it wasent for the emails, challenge coins, patches and other swagg I probably would have stopped investing in this project a long time ago.

Friday, September 13, 2013

As you probably already know, Remote Desktop Protocol and Encase Forensic do not play well together in Windows 7, Server 2008, etc. As posted a few years ago, there are a work arounds but none are perfect. Even buying the NAS licensing server has limitations.

...I spent weeks trying to figure out a true solution.Then randomly, out of complete nowhere, a co-worker one day sends an email to our team (@CHI_ForensicLab)saying "Hey, if you ever have this problem with Encase and RDP .. just do this..." I was shocked, amazed, but more importantly it worked!

Before you get started:

Note this program requires Administrative Rights to run!

Caution it requires User to Re-Login to RDP Session (user is not logged out)

Modified from http://community.spiceworks.com/how_to/show/873 and http://community.spiceworks.com/scripts/show/190-disconnect-terminal-services-session-remotely

I don't have time to support this but feel free to leave comments and I can see if my co-worker is interested in answering questions there.

Directions:

1. Copy the text below into a text file

2. If you have EnCase installed somewhere other than the default location, you’ll need to update the section starting at line 23.

set encase_v6x32="C:\Program Files (x86)\EnCase6\EnCase.exe"

set encase_v6x64="C:\Program Files\EnCase6\EnCase.exe"

set encase_v7x32="C:\Program Files (x86)\EnCase7\EnCase.exe"

set encase_v7x64="C:\Program Files\EnCase7\EnCase.exe"

3. Save as "Start Encase.bat"

4. Just double click "Start Encase.bat" after connecting via RDP to the workstation.

Thursday, July 25, 2013

I often rely on timelines to tell the story. However it’s imperative to understand how the story
was constructed to do this effectively.

Thanks to tools like log2timeline
and plaso it’s
easy to create timelines! Like any tool it’s helpful to understand how these work. I am not implying you need to start brogramming,
but you should at least learn the capabilities of the tools. This primarily requires understanding what input modules or parsers are available
(and how they are invoked). If you’re relying strictly on timelines for analysis this knowledge
should enable you to understand if the "entire story” is being told.

For instance, according to the timeline below, on March 4, 2012 at 00:28:17, a
Windows Application (McAfee) Event Log entry was created. The description of
this event states “The Scan was unable to scan password protected file
2011-W2.zip\\2011-W2.pdf. Scan engine version used is 5400.1158 DAT version
6498.0000.”

Looking at the context of this event I don’t see any notable
activity that could be contributable to the source of this event log entry. However, taking a step back from this timeline example, knowing
what I am NOT seeing could equally important to what is shown…

According to a 2012
Trend Micro report, Spear-Phishing Email: Most Favored APT Attack Bait, “91%
of targeted attacks involve spear-phishing emails, reinforcing the belief that
spear phishing is a primary means by which APT attackers infiltrate target
networks.” Thus adding e-mail as a source in a timeline might be insightful.

As displayed below, seconds before the event log was created, an
e-mail was received. This e-mail contained the attachment “2011-W2.zip”.

Now you probably want to know how e-mail magically appeared
in the timeline above? At the SANS #DFIRSummit I introduced a new cmdline tool called
Emailtime. The purpose of the tool is to create log2timeline CSV
format timelines of PST files.

The tool was written in Python and is packaged as an EXE for
distribution. It requires you to download the Developers version of Redemption
as a dependency first. Oh, and run the Redemption installer as Administrator.

Special thanks to Steve Gibson (@stevegibson) the ninja for helping
pull this tool together. Note the tool is super ALPHA/BETA/WHATEVER so use at
your own risk. We look forward to bug reports and feedback. I already have a
short list of “to do” items including adding time zone offset and MSG support
but didn’t want it to hold back releasing any further.

Additionally, as shown in the examples below it has some
neat filtering capabilities. This allows you to target e-mails of relevance
quicker based on e-mails that contain keywords, attachments, and/or hyperlinks.

Provided the output of Emailtime, a log2timeline CSV file,
you can import it to a new 4n6time database for review (File > Create
Database). Alternatively, you can append
it into an existing timeline database to overlay it with other timelines (File
> Append Database).

For anyone that saw me speak at the
HTCIA conference in Minnesota a few weeks ago, you know I am VERY excited about the
new version of 4n6time (and
some other soon to be released tools to make your timelines epic!). Months
of development and user feedback have been put into this release. There’s really
too much to list about "whats new", so here’s a few of my favorite improvements:

Updated plaso engine to version 1.0.1-1 (alpha)
– As Kristinn
pointed out the latest version of plaso has many new enhancements and
features. Also included are 2 new parsers contributed by me (thank you Kristinn
for the help), Symantec AV and Google Drive!

Control plaso with a mouse! – Create your timeline(s) using a simple yet comprehensive user wizard. Create a timeline from a disk image, mount point, directory, CSV file, or body file! Also take advantage of plaso’s amazing file filtering and pre-filtering capabilities.

Tabbing – Because one timeline is never enough you can now view and jump between multiple timelines (subsequent to filtering) in tabs within the data grid view.

VirusTotal integration – In addition to right clicking on an event and Viewing it with a external file viewer, MD5 hashing it, or exporting it, you can now check to see if it’s a known file in the VirusTotal database (provided an internet connection).

Speed – The tool has more or less been completely refactored. It is 5x faster. This includes opening saved database files instantly (no more loading!).

It was almost a year ago, at the SANS
DFIR summit, when Rob Lee gave me the opportunity to introduce 4n6time (then “l2t_Review”) to the
community. I only
had 360 seconds to show off the hundreds of hours of personal time I spent learning
and developing the initial proof of concept.

As always, this project would not be possible
without the existence and contributions to timeline creation tools. Special
thanks to Kristinn
Gudjonsson, Joachim
Metz and others
for development on log2timeline
and now Plaso.
Also a special thanks to Eric Wong who has been assisting me with the
development these days.

Monday, April 8, 2013

Tuesday, January 8, 2013

Below is my reading list for Windows 8 DFIR. I suspect it’s only a matter of time until everyone sees a hard drive with Windows 8. If you have any other resources to add to the list, feel free to drop a comment and I'll add it to the list.

Windows 8: Important Considerations for Computer Forensics and Electronic Discovery